Appendix E: OpenLDAP ppolicy.schema

This schema is released with a standard OpenLDAP distribution.

# $OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.7.2.3 2008/02/11 23:26:49 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2004-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
## Portions Copyright (C) The Internet Society (2004).
## Please see full copyright statement below.
# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
# Password Policy for LDAP Directories
# With extensions from Hewlett-Packard:
# pwdCheckModule etc.
# Contents of this file are subject to change (including deletion)
# without notice.
#
# Not recommended for production use!
# Use with extreme caution!
#Network Working Group J. Sermersheim
#Internet-Draft Novell, Inc
#Expires: April 24, 2005 L. Poitou
# Sun Microsystems
# October 24, 2004
#
#
# Password Policy for LDAP Directories
# draft-behera-ldap-password-policy-08.txt
#
#Status of this Memo
#
# This document is an Internet-Draft and is subject to all provisions
# of section 3 of RFC 3667. By submitting this Internet-Draft, each
# author represents that any applicable patent or other IPR claims of
# which he or she is aware have been or will be disclosed, and any of
# which he or she become aware will be disclosed, in accordance with
# RFC 3668.
#
# Internet-Drafts are working documents of the Internet Engineering
# Task Force (IETF), its areas, and its working groups. Note that
# other groups may also distribute working documents as
# Internet-Drafts.
#
# Internet-Drafts are draft documents valid for a maximum of six months
# and may be updated, replaced, or obsoleted by other documents at any
# time. It is inappropriate to use Internet-Drafts as reference
# material or to cite them other than as "work in progress."
#
# The list of current Internet-Drafts can be accessed at
# http://www.ietf.org/ietf/1id-abstracts.txt.
#
# The list of Internet-Draft Shadow Directories can be accessed at
# http://www.ietf.org/shadow.html.
#
# This Internet-Draft will expire on April 24, 2005.
#
#Copyright Notice
#
# Copyright (C) The Internet Society (2004).
#
#Abstract
#
# Password policy as described in this document is a set of rules that
# controls how passwords are used and administered in Lightweight
# Directory Access Protocol (LDAP) based directories. In order to
# improve the security of LDAP directories and make it difficult for
# password cracking programs to break into directories, it is desirable
# to enforce a set of rules on password usage. These rules are made to
#
# [trimmed]
#
#5. Schema used for Password Policy
#
# The schema elements defined here fall into two general categories. A
# password policy object class is defined which contains a set of
# administrative password policy attributes, and a set of operational
# attributes are defined that hold general password policy state
# information for each user.
#
#5.2 Attribute Types used in the pwdPolicy ObjectClass
#
# Following are the attribute types used by the pwdPolicy object class.
#
#5.2.1 pwdAttribute
#
# This holds the name of the attribute to which the password policy is
# applied. For example, the password policy may be applied to the
# userPassword attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
NAME 'pwdAttribute'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
#5.2.2 pwdMinAge
#
# This attribute holds the number of seconds that must elapse between
# modifications to the password. If this attribute is not present, 0
# seconds is assumed.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.3 pwdMaxAge
#
# This attribute holds the number of seconds after which a modified
# password will expire.
#
# If this attribute is not present, or if the value is 0 the password
# does not expire. If not 0, the value must be greater than or equal
# to the value of the pwdMinAge.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.4 pwdInHistory
#
# This attribute specifies the maximum number of used passwords stored
# in the pwdHistory attribute.
#
# If this attribute is not present, or if the value is 0, used
# passwords are not stored in the pwdHistory attribute and thus may be
# reused.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.5 pwdCheckQuality
#
# {TODO: Consider changing the syntax to OID. Each OID will list a
# quality rule (like min len, # of special characters, etc). These
# rules can be specified outsid ethis document.}
#
# {TODO: Note that even though this is meant to be a check that happens
# during password modification, it may also be allowed to happen during
# authN. This is useful for situations where the password is encrypted
# when modified, but decrypted when used to authN.}
#
# This attribute indicates how the password quality will be verified
# while being modified or added. If this attribute is not present, or
# if the value is '0', quality checking will not be enforced. A value
# of '1' indicates that the server will check the quality, and if the
# server is unable to check it (due to a hashed password or other
# reasons) it will be accepted. A value of '2' indicates that the
# server will check the quality, and if the server is unable to verify
# it, it will return an error refusing the password.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.6 pwdMinLength
#
# When quality checking is enabled, this attribute holds the minimum
# number of characters that must be used in a password. If this
# attribute is not present, no minimum password length will be
# enforced. If the server is unable to check the length (due to a
# hashed password or otherwise), the server will, depending on the
# value of the pwdCheckQuality attribute, either accept the password
# without checking it ('0' or '1') or refuse it ('2').
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.7 pwdExpireWarning
#
# This attribute specifies the maximum number of seconds before a
# password is due to expire that expiration warning messages will be
# returned to an authenticating user.
#
# If this attribute is not present, or if the value is 0 no warnings
# will be returned. If not 0, the value must be smaller than the value
# of the pwdMaxAge attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.8 pwdGraceAuthNLimit
#
# This attribute specifies the number of times an expired password can
# be used to authenticate. If this attribute is not present or if the
# value is 0, authentication will fail.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceAuthNLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.9 pwdLockout
#
# This attribute indicates, when its value is "TRUE", that the password
# may not be used to authenticate after a specified number of
# consecutive failed bind attempts. The maximum number of consecutive
# failed bind attempts is specified in pwdMaxFailure.
#
# If this attribute is not present, or if the value is "FALSE", the
# password may be used to authenticate when the number of failed bind
# attempts has been reached.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.10 pwdLockoutDuration
#
# This attribute holds the number of seconds that the password cannot
# be used to authenticate due to too many failed bind attempts. If
# this attribute is not present, or if the value is 0 the password
# cannot be used to authenticate until reset by a password
# administrator.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.11 pwdMaxFailure
#
# This attribute specifies the number of consecutive failed bind
# attempts after which the password may not be used to authenticate.
# If this attribute is not present, or if the value is 0, this policy
# is not checked, and the value of pwdLockout will be ignored.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.12 pwdFailureCountInterval
#
# This attribute holds the number of seconds after which the password
# failures are purged from the failure counter, even though no
# successful authentication occurred.
#
# If this attribute is not present, or if its value is 0, the failure
# counter is only reset by a successful authentication.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.13 pwdMustChange
#
# This attribute specifies with a value of "TRUE" that users must
# change their passwords when they first bind to the directory after a
# password is set or reset by a password administrator. If this
# attribute is not present, or if the value is "FALSE", users are not
# required to change their password upon binding after the password
# administrator sets or resets the password. This attribute is not set
# due to any actions specified by this document, it is typically set by
# a password administrator after resetting a user's password.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.14 pwdAllowUserChange
#
# This attribute indicates whether users can change their own
# passwords, although the change operation is still subject to access
# control. If this attribute is not present, a value of "TRUE" is
# assumed. This attribute is intended to be used in the absense of an
# access control mechanism.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.15 pwdSafeModify
#
# This attribute specifies whether or not the existing password must be
# sent along with the new password when being changed. If this
# attribute is not present, a "FALSE" value is assumed.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# <MODIFIED> Mozilla extension
# 5.2.16 pwdMaxTotalAttempts
# This attribute may take one of three values:
# a. Zero (0) This indicates that repeat password checking is not invoked.
# The value 0 is defaulted if the attribute is not present.
# b. A positive number in the range 1 to 65535 defines the maximum number of
# failed bind attempts using a repeated password after which any password
# may not be used to authenticate.
# c. -1 (minus 1). This indicates that repeat password detection features are
# required but an unlimited number of repeat password attempts are allowed.
# When repeat password detection is invoked (pwdMaxTotalAttempts is either -1
# or in the range 1 to 65535) each failed password attempt is evaluated against
# the list maintained in pwdUnigueAttempts and if not present will be added to
# pwdUniqueAttempts and also to pwdFailureTime. Thus the first attempt to use
# any password will count toward the value defined in pwdMaxFailure. If the
# failed password is present in pwdUniqueAttempts it will only increment the
# appropriate counter in pwdUniqueAttempts if pwdMaxTotalAttempts is in the
# range 1 to 65535. When the sum of all non-expired counts in pwdUniqueAttempts
# equals pwdMaxTotalAttempts then the action defined by pwdLockout is invoked.
# If this attribute is not present (defaults to 0), or if the value is 0, no
# repeat password detection is invoked and any failed password attempt (whether
# repeat or unique) will count toward the value defined by pwdMaxFailure. If
# the value is set to -1 then an unlimited number of repeat password attempts
# are allowed.
attributetype ( 1.3.6.1.4.1.13769.1.3.1
NAME 'pwdMaxTotalAttempts'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
</MODIFIED>
# HP extensions
#
# pwdCheckModule
#
# This attribute names a user-defined loadable module that provides
# a check_password() function. If pwdCheckQuality is set to '1' or '2'
# this function will be called after all of the internal password
# quality checks have been passed. The function has this prototype:
#
# int check_password( char *password, char **errormessage, void *arg )
#
# The function should return LDAP_SUCCESS for a valid password.
attributetype ( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
DESC 'Loadable module that instantiates "check_password() function'
SINGLE-VALUE )
objectclass ( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
SUP top
AUXILIARY
MAY ( pwdCheckModule ) )
#5.1 The pwdPolicy Object Class
#
# This object class contains the attributes defining a password policy
# in effect for a set of users. Section 10 describes the
# administration of this object, and the relationship between it and
# particular objects.
#
objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
NAME 'pwdPolicy'
SUP top
AUXILIARY
MUST ( pwdAttribute )
MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
$ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $ pwdMaxTotalAttempts $ pwdSafeModify ) )
#5.3 Attribute Types for Password Policy State Information
#
# Password policy state information must be maintained for each user.
# The information is located in each user entry as a set of operational
# attributes. These operational attributes are: pwdChangedTime,
# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
# pwdReset, pwdPolicySubEntry.
#
#5.3.1 Password Policy State Attribute Option
#
# Since the password policy could apply to several attributes used to
# store passwords, each of the above operational attributes must have
# an option to specify which pwdAttribute it applies to. The password
# policy option is defined as the following:
#
# pwd-<passwordAttribute>
#
# where passwordAttribute a string following the OID syntax
# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
# (short name) MUST be used.
#
# For example, if the pwdPolicy object has for pwdAttribute
# "userPassword" then the pwdChangedTime operational attribute, in a
# user entry, will be:
#
# pwdChangedTime;pwd-userPassword: 20000103121520Z
#
# This attribute option follows sub-typing semantics. If a client
# requests a password policy state attribute to be returned in a search
# operation, and does not specify an option, all subtypes of that
# policy state attribute are returned.
#
#5.3.2 pwdChangedTime
#
# This attribute specifies the last time the entry's password was
# changed. This is used by the password expiration policy. If this
# attribute does not exist, the password will never expire.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.16
# NAME 'pwdChangedTime'
# DESC 'The time the password was last changed'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.3 pwdAccountLockedTime
#
# This attribute holds the time that the user's account was locked. A
# locked account means that the password may no longer be used to
# authenticate. A 000001010000Z value means that the account has been
# locked permanently, and that only a password administrator can unlock
# the account.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.17
# NAME 'pwdAccountLockedTime'
# DESC 'The time an user account was locked'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.4 pwdFailureTime
#
# This attribute holds the timestamps of the consecutive authentication
# failures.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.19
# NAME 'pwdFailureTime'
# DESC 'The timestamps of the last consecutive authentication
# failures'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# USAGE directoryOperation )
#
#5.3.5 pwdHistory
#
# This attribute holds a history of previously used passwords. Values
# of this attribute are transmitted in string format as given by the
# following ABNF:
#
# pwdHistory = time "#" syntaxOID "#" length "#" data
#
# time = <generalizedTimeString as specified in 6.14
# of [RFC2252]>
#
# syntaxOID = numericoid ; the string representation of the
# ; dotted-decimal OID that defines the
# ; syntax used to store the password.
# ; numericoid is described in 4.1
# ; of [RFC2252].
#
# length = numericstring ; the number of octets in data.
# ; numericstring is described in 4.1
# ; of [RFC2252].
#
# data = <octets representing the password in the format
# specified by syntaxOID>.
#
# This format allows the server to store, and transmit a history of
# passwords that have been used. In order for equality matching to
# function properly, the time field needs to adhere to a consistent
# format. For this purpose, the time field MUST be in GMT format.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.20
# NAME 'pwdHistory'
# DESC 'The history of user s passwords'
# EQUALITY octetStringMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
# USAGE directoryOperation )
#
#5.3.6 pwdGraceUseTime
#
# This attribute holds the timestamps of grace authentications after a
# password has expired.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.21
# NAME 'pwdGraceUseTime'
# DESC 'The timestamps of the grace authentication after the
# password has expired'
# EQUALITY generalizedTimeMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
#
#5.3.7 pwdReset
#
# This attribute holds a flag to indicate (when TRUE) that the password
# has been updated by the password administrator and must be changed by
# the user on first authentication.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.22
# NAME 'pwdReset'
# DESC 'The indication that the password has been reset'
# EQUALITY booleanMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.8 pwdPolicySubentry
#
# This attribute points to the pwdPolicy subentry in effect for this
# object.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.23
# NAME 'pwdPolicySubentry'
# DESC 'The pwdPolicy subentry in effect for this object'
# EQUALITY distinguishedNameMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
# SINGLE-VALUE
# USAGE directoryOperation )
#
# <MODIFIED> Mozilla extension
# 5.3.10 pwdUniqueAttempts
# This attribute holds a history of previously failed passwords
# attempts up to the limit defined by pwdMaxFailure. Values of this
# attribute are transmitted in string format as given by the following
# ABNF:
#
# pwdUniqueAttempts = time "#" count "#" length "#" data
#
# time = <generalizedTimeString as specified in 6.14
# of [RFC2252]>.
#
# count = Integer ; the count of uses of this password
# ;Integer is described in 6.16 of [RFC2252]
#
# length = numericstring ; the number of octets in data.
# ; numericstring is described in 4.1
# ; of [RFC2252].
#
# data = <octets representing the password in the default hash format
# for the server
#
# In order for equality matching to function properly, the time field
# needs to adhere to a consistent format. For this purpose, the time
# field MUST be in GMT (UCT) format. The time field is set only when
# the attribute is initially added.
#
# (1.3.6.1.4.1.13769.1.3.2
# NAME 'pwdUniqueAttempts'
# DESC 'History of unique passwords attempts'
# EQUALITY octetStringMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
# NO-USER-MODIFICATION
# USAGE directoryOperation )
# When a failed password attempt occurs and the value of pwdMaxTotalAttempts
# is non 0 then pwdUniqueAttempts is searched for a match. If a match occurs
# then the count field of this entry is incremented only if the value of
# pwdMaxTotalAttempts is positive. If no match occurs then an entry is made
# in pwdFailureTime and in pwdUniqueAttempts (with a count field value of 1).
# If pwdMaxTotalAttempts is positive then when the sum of the count field
# values of all items in pwdUniqueAttempts equals pwdMaxTotalAttempts the
# action taken is defined by pwdLockout.
</MODIFIED>
#Disclaimer of Validity
#
# This document and the information contained herein are provided on an
# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
#
#
#Copyright Statement
#
# Copyright (C) The Internet Society (2004). This document is subject
# to the rights, licenses and restrictions contained in BCP 78, and
# except as set forth therein, the authors retain all their rights.

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.